Visibility Restrictions for Required Combinations

The fact that information labels must be dominated by their associated sensitivity label,
and that sensitivity labels specified by a user must be dominated by that
user's clearance, places some constraints on what words can be added to certain
labels. For example, if adding a word to an information label raises
the information label such that it is no longer dominated by the associated
sensitivity label, then that word is not visible in the information label.
Similarly, if adding a word to a sensitivity label raises the sensitivity of
the label such that it is no longer dominated by the associated
user's clearance, then that word is not visible in the sensitivity label.

It is important that any word required by another word in a
required combination be visible whenever the requiring word is visible. For example, given
the required combination:

A B

which means A requires B, word B must be visible whenever word
A is visible. If B were not visible at some point when
A was visible, a situation could occur whereby A could legally be added
to a label, were it not for the fact that doing so would
require also adding B, which would violate a dominance relationship. Such a
situation must be prevented by careful construction of required combinations. There are
no restrictions on required combinations of words with only marking bits (i.e., no
compartment bits) associated, because marking bits do not participate in the dominance relationships
mentioned above.

One practical ramification of this restriction is that 1) sensitivity label required combinations
should not be more restrictive than the equivalent clearance restrictions, and that 2)
information label required combinations should not be more restrictive than the equivalent sensitivity
label restrictions. A concrete example of this problem can be taken from
the sample encodings in Appendix B, Annotated Sample Encodings.

Consider the SA and CC compartments in the CLEARANCES: and SENSITIVITY LABELS: encodings.
The REQUIRED COMBINATIONS: in both of these sections are:

SB B
SA A

Now, consider the same where an additional required combination is added to only
the SENSITIVITY LABELS: encodings:

SA CC

This additional required combination, which makes the sensitivity label required combinations more restrictive
than those for clearances, specifies that if SA is present in a sensitivity
label, CC must also be present. Now consider the case of a
user with the clearance TS A B SA SB. Such a
clearance is perfectly valid according to the encodings, but such a user can
never put SA in a sensitivity label because SA requires CC, yet the
user is not cleared for CC.